Threat Management, Malware

Researchers find new POS malware with no data exfiltration capabilities

Researchers have discovered a point-of-sale malware program, RtPOS, that saves payment card data locally but does not exfiltrate it to a command-and-control server, perhaps so its activity is less likely to be detected as anomalous.

The lack of exfiltration also suggests that the malware is a post-compromise tool that attackers would only use if they've already compromised the target machine and have other means of transmitting the stolen data, according to an Aug. 25 blog post from Booz Allen Hamilton's Managed Threat Services unit. However, it's also possible that RtPOS is merely in development and its exfiltration capabilities simply haven't been added yet.

Based on its 2017 compile time, RtPOS has existed in some form since at least last year. With zero networking capabilities, it can only be found on the victim's infected endpoint. It features a Russian language code, and its file name, alohae.exe, falsely suggests that the malware is really the "Windows Logon Service."

Upon installation, RtPOS "iterates the available/running processes on the compromised machine," the blog post explains. "This is carried out in two steps: first, RtPOS uses CreateToolhelp32Snapshot to obtain a process list, and finally uses Process32FirstW to begin iteration of the process list." 

Later, it uses the ReadProcessMemory function to access the POS system's memory space, presumably in order to perform RAM-scraping on transactions before payment data can be encrypted. The malware then takes any stolen Track 1 and Track 2 data uses a checksum formula to validate the payment card numbers. Those deemed valid are saved in a .dat file in the WindowsSysWOW64 folder for later exfiltration, although the malware itself cannot perform that function.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.